- cypherpunks - lists.cpunks.org

Why cryptome sold web logs to their paying customers?
by Georgi Guninski 10 Oct '15

10 Oct '15

The main question is: 1. Why cryptome sold web logs to their paying customers? Related questions: 2. Did they do it on purpose? 3. Did LEAs already had the logs via sniffing (at that time cryptome.org didn't have SSL AFAIK)? 4. Is it likely that the web server (and likely all internet connected machines of cryptome operators) was compromised? In other news JYA talks in nearly prose: http://www.dailydot.com/politics/cryptome-ip-leak-john-young-michael-best/

4 6

Why cryptome sold web logs to their paying customers?
by Michael Best 10 Oct '15

10 Oct '15

> > I say Best's name's appearance in DailyDot or > any other media constitutes an ongoing for-profit commercial motivation > as redistributor. HAHAHAHAHAHAHAHAHAHAHA.

4 10

Introduce randommess in keypress timings
by Michael Nelson 10 Oct '15

10 Oct '15

> It is surprising to know that Javascript is fast enough not to have an impact on system performance when monitoring the keystroke timing! Well it does have an impact, but not enough to ruin things. Of course it's not just js itself, but the browser, which swaps things in and out to do lots of things whenever it feels like it. As requested, here are some details. This is more technical than political, but may be of interest. This concerns keystroke dynamics on a phrase known by the auth server, not the general background stuff. So we are not really talking about the passive spying/monitoring here, but rather a potential product. So after I wrote my keystroke dynamics proof-of-concept I discovered that the statistical technique had been patented 25 years before (the patent had expired), which validated my approach... Mine had some extra twizzlers though. At Web browser-based initialization, the user sets a reference challenge word, say, "foobar". She must then enter some samples. For each sample, a vector of 12 time values is created, one for each keyDown and keyUp event. Some subtlety is needed in the programming, as keyUp on F might occur before keyDown on O on one sample, but after on the next. We would like to compare apples to apples. So we have a sample from the population of vectors as generated by the human. When authentication is checked, we must measure the distance of our trial vector, from the population. For this I used the Mahalanobis distance. Mahalanobis was a well-known Indian statistician who in the 1930s designed a test in order to help anthropologists decide whether skull fragments found in caves matched each other. This test measures the distance between each pair of entries in a vector. So F-down and F-up are compared, and also F-down and A-down are compared. Crucially, the distributions for each pair are normalized. The vectors can have any numerical data in the components. It can be used in botany with leaf area, weight, rainfall, etc. It works beautifully for typing patterns. Notice that we don't need to extract "dwell" times for keys, but all the same info is there in the more primitive array. I set a configurable threshold of 20 for the distance triggering secondary authentication. If I typed with proper focus, I would get distance of say around 4. If someone else typed they would get say 70 or 150. These are just typical examples. It worked fine. Here are some things I learned. 1. It's very hard to test objectively to make a business case. Why? Well if you go around the cubicles asking people to try it, you might get some people testing it on a laptop they don't normally use, or using some sort of random typing, on a string that they don't have an established pattern for. I realized that KD is not magic. Just as you would not expect to type a normal password "123456" by mashing the keys randomly, you have to consciously type in your official pattern for KD to work. It is well-known that the best words for KD are things like your own name, for which you have a well-established pattern. Now you see one of the reasons that this stuff has not taken off. You might assiduously set the samples (or have passive background capturing working) on your usual desktop. Then it will fail when you hunt-and-peck on your laptop. 2. I had a mobile developer add in touchscreen events for an iPhone test. This uses character and time, and also x and y co-ordinates for both press and release (there is some drag). The future will bring force. The beauty of Mahalanobis is that these just go right in and work immediately. Well, the stats does. Dealing with these big fat vectors is not trivial. I proved that it would work (actually it could not fail), but did not complete the mobile version. 3. I hacked the stats out in C. Interestingly, for me it was harder getting the online demo going with the Web page, jQuery, PHP, and MySQL, than implementing the actual Mahalanobis test. Maybe I should set the demo up for folks to try. 4. Twizzlers. One is that I allowed arbitrary shifty characters in my phrase. So in fact our user could simply tap her favorite rhythm on the Ctrl key, for her authentication factor. Worked fine. 5. Hope the above was of interest... mn

4 5

[cryptome] Re: [cryptome]
by Michael Best 10 Oct '15

10 Oct '15

In a version uploaded by coderman, which someone else posted as a torrent to the Pirate Bay. ATM, I'm not 100% clear whether he made it into a torrent or not. *Juan* juan.g71(a)gmail.com <juan.g71%40gmail.com?Subject=Re%3A%20%5Bcryptome%5D%20Re%3A%20%5Bcryptome%5D&In-Reply-To=%3C561971e5.e31f8c0a.f0dba.fffff987%40mx.google.com%3E> > > *Sat Oct 10 16:21:14 EDT 2015*On Sat, 10 Oct 2015 05:03:13 -0400 > Michael Best <themikebest(a)gmail.com> wrote: > >* But what's terribly wrong is that I reported > *>* it - *not* that John leaked it or lied it about it when he kept > *>* denying it or anything else. [/sarcasm] > * > Yes, you getting blamed is pretty ridiculous. The stuff was > also *published* in a *public* torrent by coderman??

1 0

The GCHQ Cryptome slide could be a mockup/disinfo
by Michael Best 10 Oct '15

10 Oct '15

Did you see the first one where I asked for help verifying the information in redacted form, specifically from John Young/Cryptome but in no way excluding the list? Or that after I posted the redacted version of the logs, and before John Young first denied they were real (before denying it again then admitting it again), he sent me an email saying ""Keep at it." Or my general request on Twitter, which wasn't limited to the list and occurred after the list had been alerted to the matter? https://twitter.com/NatSecGeek/status/651760609189568512 > Ok i read it all see no fucking ask of this community for help on the > matter

2 2

[cryptome] Re: [cryptome]
by Michael Best 10 Oct '15

10 Oct '15

> > Maybe because Mike _published_ the fucking logs, just because JYA was > doing the mirror shades thing about whether the archive was or was not > genuine? I mean, JYA can be a very funny man. For sure. But does that > justify publishing Cryptome access logs? I published them to verify the data, *AFTER JYA publicly accused me of FAKING it.* I only raised the point of the logs because of the GCHQ slide. *If *John had verified it a week earlier, or not accused me of faking data (with ZERO evidence, and the data turns out to be legit) *they never would've been published. *

4 6

Why cryptome sold web logs to their paying customers?
by Michael Best 10 Oct '15

10 Oct '15

*Razer* Rayzer(a)riseup.net <Rayzer%40riseup.net?Subject=Re%3A%20Why%20cryptome%20sold%20web%20logs%20to%20their%20paying%20customers%3F&In-Reply-To=%3C56196739.2040408%40riseup.net%3E> *Sat Oct 10 15:30:01 EDT 2015* On 10/10/2015 11:51 AM, Shelley wrote: >>* The Cryptome archives *are* publicly accessible. * Imho It's NOT his (Best's) material to decide to post without permission of the creator. Publicly available or not, at Archive.org. Cryptome owns the copyright for very little of the material in their archive. Most of it is public domain items or things that were reprinted from elsewhere, like news articles. John uses these under fair use, for educational and research purposes. If John wants to assert a copyright claim for the items that they did originally produce, then they are welcome to do so. I'm sure they're capable of it without you. But I'm guessing that won't convince you, so maybe John Young can. Let's hear from him, shall we? "We would have dumped it, the whole thing. Everyone else likes to play this game: 'What if we harm somebody' or all this kind of crap. Which is strictly cowardice." Deborah Natsios said that one of their goals is "To pry open the privatised domain, the realm of copyright interests, the not-public domain, the not-public space of corporate interests—but there are private security guards, global security mercenaries who patrol that boundary." John then added "We're great advocates of plagiarism and stealing." I feel like posting the entire archive for educational and research purposes is entirely fair game. He argues that Citizenfour should be in the public domain, and I'm sure he'd make that same argument about his archive. If not, he'll speak up. --Mike

1 0

[cryptome] Re: [cryptome]
by Michael Best 10 Oct '15

10 Oct '15

*Cari Machet* carimachet(a)gmail.com <carimachet%40gmail.com?Subject=Re%3A%20%5Bcryptome%5D%20Re%3A%20%5Bcryptome%5D&In-Reply-To=%3CCAGRDzQWRPraNrJFuHeuekTxDAJ6K6N0JK4o%2BowjxX101_SamZg%40mail.gmail.com%3E> *Sat Oct 10 14:00:00 EDT 2015* > Everything leaks but dont be the one leaking it - the determinant leaker > axiom ... ... John Young would be the one who leaked it, Cari. And refused to fix it. I posted when it became clear he wouldn't stop and was calling the disclosure disinfo.

1 0

Re: The GCHQ Cryptome slide could be a mockup/disinfo
by Shelley 10 Oct '15

10 Oct '15

On October 8, 2015 8:43:31 AM Georgi Guninski <guninski(a)guninski.com> wrote: > On Fri, Oct 02, 2015 at 10:23:12PM -0400, Michael Best wrote: > > A few days ago, a new Snowden slide > > > <https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-o…> > > was > > released that appeared to show that the GCHQ was monitoring Cryptome in > > Dude, are you calling Snowden liar? > > And did you found out that allegedly cryptome shipped their web logs on > usbs to buyers AFTER you called Snowden liar? Wow, what the hell is going on here?! I'm replying to all of the posts made thus far on this topic; I'm sorry, but I don't have the time nor inclination to respond to them individually. So John finally replies, but feels the need to call this guy an asshole. Why is that? I don't know him, but going solely by his site and contributions to archive.org, he is a legitimate researcher. He tried going through the usual steps before disclosure, just like the rest of us do. Only brought it to the public for verification and analysis after the source refused to cooperate: just like the rest of us. Problem? There are no sacred cows. There is only data, and whatever truth is borne out of it whether or not it's the answer we wish to see. The scientific method and all, you know, that most of us hold dear. Georgi, he didn't outright say Snowden was a liar. He was calling into question the validity of a slide that Snowden may not have even seen, or may not have scrutinized. Also, the journalists releasing the data have an open history of working with the feds before releasing info - how do we know they wouldn't possibly alter data under pressure? A decade ago, no less than the venerable NYT sat on the warrantless wiretapping story for over a year! They caved when Risen's book was about to be published. That does not exactly inspire confidence. But what if this (or any other claim, backed with evidence) *did* call into question the rest of the data attributed to the Snowden dumps? Isn't the truth more important than holding up false ideals? Religion and politics have the lock on that brand of cognitive dissonance, they don't need our help. Snowden is not infallible. Cryptome/JY are not infallible. Hell, even Ellsberg isn't infallible (as we were recently reminded.) Best is not infallible, but I haven't seen him claim to be so. Don't judge the messenger; look at the data and draw your own conclusions, the way we do with everything else. This isn't a false controversy, Travis. And some of us do care. -Shelley

10 14

Re: Introduce randommess in keypress timings
by Michael Nelson 10 Oct '15

10 Oct '15

> Is there anything that tells us how many bits of entropy are found in the brainsong (rhythm, melody) of random users? Five minutes of Swedish death metal should get you around 256 bits. mn

5 4